don’t get stung (an introduction to the owasp top ten project) barry dorrans microsoft information...
TRANSCRIPT
![Page 1: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/1.jpg)
Don’t get Stung(An introduction to the OWASP Top Ten Project)
Barry DorransMicrosoft Information Security Tools
NEW AND IMPROVED!
![Page 2: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/2.jpg)
Contents
• OWASP Top Ten• http://www.owasp.org• A worldwide free and open community
focused on improving the security of application software
![Page 3: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/3.jpg)
Introduction
• Do not try this at home. Or at work.• These are not just ASP.NET vulnerabilities• If you don’t want to ask public questions ...
[email protected] / http://idunno.org
![Page 4: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/4.jpg)
10 – Unvalidated Redirects and Forwards
![Page 5: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/5.jpg)
Unvalidated Redirect and Forwards
• Users don’t check the address bar• MVC authentication (pre-3.0) is vulnerable.• Check the ReturnUrl parameter –
http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx
![Page 6: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/6.jpg)
9 – Insufficient Transport Layer Protection
![Page 7: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/7.jpg)
Insufficient Transport Layer Protection
• Use SSL• Protection communications between web
server and backend systems (SSL, IPSEC etc.)• Replay attacks – use time limited tokens
![Page 8: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/8.jpg)
8 – Failure to restrict URI access
![Page 9: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/9.jpg)
Failure to restrict URI access
• Security by obscurity is useless • Restrict via ASP.NET – no rolling your own!• Integrated pipeline restricts everything• Use [PrincipalPermission] to protect yourself• IIS7 replaces file ACLs with a web.config based
authorization list.
![Page 10: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/10.jpg)
7 – Insecure Cryptographic Storage
![Page 11: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/11.jpg)
Insecure Cryptographic Storage
• Symmetric – same key• Asymmetric – public/private keys• Use safe algorithms –
Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7
• Encrypt then sign
![Page 12: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/12.jpg)
Insecure Cryptographic Storage
• Use symmetric when– All systems are under your control– No need to identify who did the encryption
• Use asymmetric when– Talking/accepting from external systems– Non-repudiation on who encrypted/signed (X509)– All in memory – so no large plain tex!
• Combine the two for speed and security
![Page 13: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/13.jpg)
Insecure Cryptographic Storage
• Do not reuse keys for different purposes• Store keys outside the main database• Use CryptGenRandom for random numbers• Use & rotate salts• Use unique IVs• DAPI can provide a key store
![Page 14: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/14.jpg)
6 – Security Misconfiguration
![Page 15: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/15.jpg)
Security Misconfiguration
• PATCH PATCH PATCH• IIS7 App Pool Isolation –
http://learn.iis.net/page.aspx/764/ensure-security-isolation-for-web-sites/
• URLScan• Security Runtime Engine (CTP)• Disable unused modules, accounts etc.
![Page 16: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/16.jpg)
Security Misconfiguration<httpModules> <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" /> <add name="Session" type="System.Web.SessionState.SessionStateModule" /> <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" /> <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" /> <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" /> <add name="RoleManager" type="System.Web.Security.RoleManagerModule" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" /> <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" /> <add name="Profile" type="System.Web.Profile.ProfileModule" /></httpModules>
![Page 17: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/17.jpg)
Security Misconfiguration
<httpModules> <remove name="PassportAuthentication" /> <remove name="Profile" /> <remove name="AnonymousIdentification" /></httpModules>
• NB: Some modules depend on othersForms auth needs caching.There’s no easy way to tell!
![Page 18: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/18.jpg)
5 – Cross Site Request Forgery
![Page 19: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/19.jpg)
Cross Site Request Forgery
• WebForms– Lock ViewState using ViewStateUserKey
• Needs a way to identify user• Set in Page_Init
– Use a CSRF token – http://anticsrf.codeplex.com• MVC
<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method
• Encourage users to log out• When is a postback not a postback?
![Page 20: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/20.jpg)
4 – Insecure Direct Object Reference
![Page 21: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/21.jpg)
Insecure Direct Object Reference
• Use indirect object references• Always check access permissions• For MVC don’t allow binding to your ID field
[Bind(Exclude="id")]
![Page 22: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/22.jpg)
3 - Broken Authentication/Sessions
![Page 23: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/23.jpg)
Broken Authentication/Sessions
• Don’t roll your own!• If you must validate sessions on every request
check the browser string, not the IP
![Page 24: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/24.jpg)
2 – Cross Site Scripting
![Page 25: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/25.jpg)
XSS
• <IMG SRC=javascript:alert('XSS')>• <IMG SRC=JaVaScRiPt:alert('XSS')>• <IMG
SRC=javascript:alert('XSS')>
![Page 26: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/26.jpg)
XSS
• All input is evil• Work from white-lists not black-lists.• Store un-encoded data in your database• Use HttpOnly cookies• AntiXSS project http://antixss.codeplex.com– Better HTML/URL Encoding– Adds HTML Attribute, Javascript, VBScript
• XSS Cheat Sheet http://ha.ckers.org/xss.html
![Page 27: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/27.jpg)
1 – Injection Flaws
![Page 28: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/28.jpg)
Injection Flaws
• SQL– Use SQL parameters– Remove direct SQL table access– When building SQL strings within SPs
parameterise those too!• Xpath– Use XsltContext– http://mvpxml.codeplex.com/
![Page 29: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/29.jpg)
Injection Flaws
DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last'EXEC @cmd, N'@first nvarchar(25), @last nvarchar(25)', @first, @last
![Page 30: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/30.jpg)
Changes from 2007
• Malicious File Execution• Information Leakage / Improper Error
Handling• Security Misconfiguration• Un-validated Redirects and Forwards
![Page 31: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/31.jpg)
The OWASP Top Ten
• A1-Injection• A2-Cross Site Scripting (XSS)• A3-Broken Authentication and Session Management• A4-Insecure Direct Object References• A5-Cross Site Request Forgery (CSRF)• A6-Security Misconfiguration• A7-Insecure Cryptographic Storage• A8-Failure to Restrict URL Access• A9-Insufficient Transport Layer Protection• A10-Unvalidated Redirects and Forwards
![Page 32: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/32.jpg)
Mandatory Book Pimping
![Page 33: Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!](https://reader036.vdocument.in/reader036/viewer/2022081519/56649c7c5503460f949302d2/html5/thumbnails/33.jpg)
Questions